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Abstract. In this work we initiate the question of whether quantum computers 
can provide us with an almost perfect source of classical randomness, and more 
generally, suffice for classical cryptographic tasks, such as encryption. Indeed, 
it was observed [SV86,MP91,DOPS04] that classical computers are insufficient 
for either one of these tasks when all they have access to is a realistic imperfect 
source of randomness, such as the Santha-Vazirani source. 
We answer this question in the negative, even in the following very restrictive 
model. We generously assume that quantum computation is error-free, and all 
the errors come in the measurements. We further assume that all the measurement 
errors are not only small but also detectable: namely, all that can happen is that 
with a small probability p_l < 5 the (perfectly performed) measurement will 
result in some distinguished symbol _L (indicating an "erasure"). Specifically, we 
assume that if an element x was supposed to be observed with probability p^, in 
reality it might be observed with probability p'^ £ [(1 ^ 5)Px,Px\, for some small 
5 > (so thatpx = 1 - E^rP^i^ < S). 

Our negative "quantum" result also implies a new "classical" result of indepen- 
dent interest: namely, even a much more restrictive form of (classical) Santha- 
Vazirani sources is not sufficient for randomness extraction and cryptography. 

1 Introduction 

Randomness is important in many areas of computer science, such as algorithms, cryp- 
tography and distributed computing. A common abstraction typically used in these ap- 
plications is that there exists some source of unbiased and independent random bits. 
However, in practise this assumption seems to be problematic: although there seem 
to be many ways to obtain somewhat random data, this data is almost never uniformly 
random, its exact distribution is unknown, and, coiTespondingly, various algorithms and 
protocols have to be based on imperfect sources of randomness. 

Not surprisingly, a large body of work (see below) has attempted to bridge the gap 
between this convenient theoretical abstraction and the actual reality. So far, however, 
most of this work concentrated on studying if classical computers can effectively use 
classical imperfect sources of randomness. In this work, we initiate the corresponding 
study regarding quantum computation. To motivate our question, we start by surveying 
the state of the art in using classical computers, which will demonstrate that such com- 
puters are provably incapable of tolerating even "mildly" imperfect random sources. 
Classical Approach to Imperfect Randomness. The most straightfor- 
ward approach to dealing with an imperfect random source is to deterministi- 
cally (and efficiently) extract nearly-perfect randomness from it. Indeed, many 
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such results were obtained for several classes of imperfect random sources. 
They include various "streaming" sources [Neu51,Eli72,Blu86,LLS89], "bit-fixing" 
sources [CGH+85,BBR88,AL93,CDH+00,DSS01,KZ03], multiple independent im- 
perfect sources [SV86,Vaz87a,Vaz87b,CG88,DO03,DEOR04,BIW04] and efficiently 
samplable sources [TVOO]. While these results are interesting and non-trivial, the above 
"deterministically extractable" sources assume a lot of structure or independence in the 
way they generate randomness. A less restrictive, and arguably more realistic, assump- 
tion on the random source would be to assume only that the source contains some en- 
tropy. We call such sources entropy sources. Entropy sources were first introduced by 
Santha and Vazirani [SV86], and later generalised by Chor and Goldreich [CG88], and 
Zuckerman [Zuc96]. 

The entropy sources of Santha and Vazirani [SV86] are the least imperfect (which 
means it is the hardest to show impossibility results for such sources) among the en- 
tropy sources considered so far (e.g., as compared to [CG88,Zuc96]). SV sources, as 
they are called, require every bit output by the source to have almost one bit of entropy, 
even when conditioned on all the previous bits. Unfortunately, already the original work 
of [SV86] (see also a simpler proof in [RVW04]) showed that deterministic random- 
ness extraction of even a single bit is not possible from all SV sources. This can also 
be considered as impossibility of pseudo-random generators with access to only an SV 
source. Moreover, this result was later extended by Mclnnes and Pinkas [MP91], who 
showed that in the classical setting of computationally unUmited adversaries, one cannot 
have secure synraietric encryption if the shared key comes from an SV source. Finally 
and most generally, Dodis et al. [DOPS04] showed that SV sources in fact cannot be 
used essentially for any interesting classical cryptographic task involving privacy (such 
as encryption, commitment, zero-knowledge, multiparty computation), even when re- 
stricting to computationally bounded adversaries. Thus, even for the currently most re- 
strictive entropy sources, classical computation does not seem to suffice for apphcations 
inherently requiring randomness (such as extraction and cryptography).^ 

We also mention that the impossibility results no longer hold when the extracting 
party has a small amount of true randomness (this is the study of so called probabilistic 
randomness extractors [NZ96]), or if several independent entropy sources are available 
[SV86,Vaz87a,Vaz87b,CG88,DO03,DEOR04,BIW04] 

Quantum Computers? Given the apparent inadequacy of classical computers to 
deal with entropy sources — at least for certain important tasks such as cryptography 
— , it is natural to ask if quantum computers can be of help. More specifically, given 
that quantum computation is inherently probabilistic, can we use quantum computers 
to generate nearly perfect randomness? (Or maybe just "good enough" randormiess 
for cryptographic tasks like encryption, which, as we know [DS02], do not require 
perfect randomness?) For example, to generate a perfectly random bit from a fixed 
qubit |0), one can simply apply the Hadamard transform, and then measure the result 

^ In contrast, a series of celebrated positive results [VV85,SV86,CG88,Zuc96] show that even 
very weak entropy sources are enough for simulating probabilistic polynomial-time algorithms 
— namely, the task which does not inherently need randomness. This result was extended to 
interactive protocols by [DOPS04]. [DOPS04] also show that under certain strong, but reason- 
able computational assumptions, secure signatures seem to be possible with entropy sources. 
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in the standard basis. Unfortunately, what prevents this simple solution from working 
in practise is the fact that it is virtually impossible to perform the above transformation 
(in particular, the measurement) precisely, so the resulting bit is Ukely to be sUghtly 
biased. In other words, we must deal with the noise. More generally, noise is a very 
serious issue in quantum computation, which means that certain error-correction and 
fault-tolerance must be applied in order to overcome such noise. Indeed, fault-tolerance 
is one of the major problems in quantum computing (see [NCOO]), so we will have to 
address it as well. Jumping ahead, however, what will differentiate us from all the prior 
work in the area is the fact that we do not assume largely independent noise (which can 
be dealt with by quantum error-correction). 

But, first, let us explain why there are good reasons to hope for quantum comput- 
ers to be useful despite the noise. When deaUng with classical imperfect sources, we 
usually assume that the source comes from some family of distributions "outside of 
our control" (e.g., "nature"), so we would like to make as few assumptions about these 
distributions as we can. For example, this is why the study of imperfect randomness 
quickly converged to entropy sources as being the most plausible sources one could get 
from nature. In contrast, by using a quantum computer to generate our random source 
for us, we are proactively designing a source of randomness which is convenient for 
use, rather than passively hoping that nature will give us such a source. Indeed, if not 
for the noise, it would be trivial to generate ideal randomness in our setting. Moreover, 
even with noise we have a lot of freedom in adapting our quantum computer to generate 
and measure quantum states of our choice, depending on the computation so far. 

Our Model. We first define a natural model for using a (realistically noisy) quantum 
computer for the task of randomness extraction (or, more generally, any probabihstic 
computation, such as the one needed in classical cryptography). As we will see shortly, 
we will prove a negative result in our model, despite the optimism we expressed in the 
previous paragraph. Because of this, we will make the noise as small and as restrictive 
as we can, even if these restrictions are completely "generous" and unreaUstic. Indeed, 
we will assume that the actual quantum computation is error-free, and all the errors 
come in the measurements (which are necessary to extract some classical result out of 
the system). Of course, in reality the quantum computation will also be quite noisy, 
but our assumption will not only allow us to get a stronger result, but also reduce our 
"quantum" question to a natural "purely classical" question of independent interest. 

Moreover, we will further assume that all the measurement errors are not only very 
small, but also detectable: namely, all that can happen is that with a small probabil- 
ity p± < 5 the (perfectly performed) measurement will result in some distinguished 
symbol _L (indicating an "erasure"). Specifically, we assume that if an element x was 
supposed to be observed with probabiUty Px, in reality it might be observed with prob- 
ability j/,, G [(1 — for some small (5 > 0(sothat]3^ = 1— < (5). Thus, 
it is guaranteed that no events of small probabihty can be completely "removed", and 
the probabiUty of no event can be increased. Moreover, as compared to the classical SV 
model, in our model the state to be measured can be prepared arbitrarily, irrespective of 
the computational complexity of preparing this state. Further, such quantum states can 
even be generated adaptively and based on the measurements so far. For comparison. 
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in the SV model the "ideal" measurement would always correspond to an unbiased bit; 
additionally, the SV model allows for "errors" while we only allow "erasures". 
Our Result. Unfortunately, our main result will show that even in this extremely 
restrictive noise model, one cannot extract even a single nearly uniform bit. In other 
words, if the measurement errors could be correlated, quantum computers do not help 
to extract classical randomness. More generally, we extend the technique of [DOPS04] 
to our model and show that one cannot generate two (classical) computationally in- 
distinguishable distributions which are not nearly identical to begin with. This can be 
used to show the impossibility of classical encryption, commitment, zero-knowledge 
and other tasks exactly as in [DOPS04]. We notice, however, that our result does not 
exclude the possibiUty of generating perfect entanglement, which might be used to en- 
crypt a message into a quantum state. Nevertheless, our result implies that, even with 
the help of such perfect entanglement, the user will not be able to generate a (shared) 
classical key that can be used for cryptographic tasks. To summarise, we only rule out 
the possibility of classical cryptography with quantumly generated randomness, leav- 
ing open the question of (even modelhng!) quantum cryptography with noise. 

Of independent interest, we reduce our "quantum" problem to the study of a new 
classical source, which is considerably more restrictive than the SV source (and this 
restriction can really be enforced in our model). We then show a classical impossibility 
result for our new source, which gives a non-trivial generalisation of the correspond- 
ing impossibility result for the SV sources [DOPS04,SV86]. From another angle, it 
also generalises the impossibility of extraction from the so called "bias-control limited" 
(BCL) sources of [DodOl]. As with our source, the most general BCL source consid- 
ered in [DodOl] can adaptively generate samples from arbitrary distributions (and not 
just random bits). However, the attacker is given significantly more freedom in bias- 
ing the "real" distributions. First, all expected "real" distributions can be changed to 
arbitrary statistically close ones (which gives more power than performing "detectable 
erasures"), and, second, a small number of "real" distributions can be changed arbitrar- 
ily (which we do not allow at all). 

To summarise, our main results can be viewed in three areas: 

1 . A model of using noisy quantum computers for classical probabilistic computation. 

2. A reduction from a "quantum" question to the classical question concerning a much 
more restrictive variant of the SV (or general BCL) source(s). 

3. A non-trivial impossibility result for the classical source we define. 

Relation to Quantum Error-Correction. What differentiates us from the 
usual model of quantum computation with noise is the fact that our errors are not as- 
sumed independent. In particular, conventional results on fault-tolerant quantum com- 
putation (such as the threshold theorem; see [NCOO] for more details) do not apply in 
our model (as is apparent from our negative results). From another perspective, our im- 
possibility result is not just a trivial application of the principle that one can always and 
without loss of generahty postpone all the measurements until the end (a useful obser- 
vation true in the "perfect measurement" case). For example, if all the measurements 
are postponed to the end, then we might observe a single "useless" ± symbol with non- 
trivial probability 5, while with many measurements we are bound to observe a lot of 
"useful" non-_L symbols with probability exponentially close to one. 
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Nevertheless, in our model one can trivially simulate probabilistic algorithms com- 
puting deterministic outputs, just as was the case for the classical computation. For 
example, here we actually can postpone aU the measurements until the end, and then 
either obtain an error (with probabiUty at most S in which case the computation can be 
repeated), or the desired result (with probability arbitrarily close to 1 — S). Of course, 
this "positive" result only holds because our noise model was made unreaUstically re- 
strictive (since we proved an impossibility result). Thus, it would be interesting to define 
a less restrictive (and more realistic ! ) error model — for example where the actual quan- 
tum computation is not error-free — and see if this feasibility result would still hold. 

Finally, the problem of detection errors has been studied in the context of non- 
locality testing [CH74,MSS83,Mas02], which tries to experimentally prove the intrigu- 
ing phenomenon that the behaviour of certain distant but entangled particles caimot be 
explained by classical randomness. These results are of the same flavor as our impossi- 
bility result. Indeed, they show that, if certain detection probability is too low, then the 
outputs might be chosen in a malicious way such that the resulting statistics does not 
imply non-locality. To our knowledge, this is the only result where some impossibility 
is proved, based on the assumption that certain errors occur. 

2 Definition of tlie source 

A source with n outputs XijX^, . ■ . , X„ is specified by a joint probability distribution 
Pxi - x„ ■ However, for most realistic sources, the actual distribution Pxi---x„ can usu- 
ally not be fully determined. Instead, only a few characteristics of the source are known, 
e.g., that the conditional probability distributions'' -Pxi|x*-i have certain properties. A 
well-known example for such a characterisation are the Santha-Vazirani sources. 

Definition 1 ([SV86]). A probability distribution Pxi - Xr, on {0,1}" is an a-SV 
source if for a// i € {1, . . . , n} and x^~^ € {0, we have 

^x,|x*-i=x*-i(0) e [a,l-a] 

We will define a more general class of sources which, in some sense, includes the 
SV sources (cf. Appendix). The main motivation for our definition is to capture any 
kind of randomness that can be generated using imperfect (quantum) physical devices. 
Indeed, we wiU show in Section 3 that the randomness generated by any imperfect 
physical device cannot be more useful than the randonmess obtained from a source as 
defined below. 

Intuitively, a source can be seen as a device which sequentially outputs symbols 
Xi. . . . , Xn from some alphabet X. Each output Xi is chosen according to some fixed 
probability distribution which might depend on all previous outputs Xi , . . . , Xi-i. The 
"imperfectness" of the source is then modelled as follows. Each output X^ is "erased" 
with some probability p_L, i.e., it is replaced by some distinguished symbol _L. This 

We write X*' to denote the fc-tuplc {Xi, . . . ,Xk). 
^ ^Xj|x»-i=a:«-i denotes the probability distribution of Xi conditioned on the event that the 
(i — l)-tuple = {X\, . . . , Xj_i) takes the value a;'~^ = (si, . . . ,Xi-i). 
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erasure probability might depend on the actual output Xi as well as on all previous 
outputs Xi, . . . , Xi-i, but is upper bounded by some fixed parameter 6. 

Before stating the formal definition, let us introduce some notation to be used in the 
sequel. For any set X, we denote by ^ the set ^ := X U {±} which contains an extra 
symbol ±. For a probability distribution Px on X and S > 0, let V^{Px) be the set of 
probabiUty distributions Px on X such that 

{l-5)Px{x)<Px{x)<Px{x) , 

for all a; G A". In particular, the probability of the symbol _L is bounded by 5, that is, 

Px{l-) < 5. 

Definition 2. Let 5 > {] and let, for any i e {1, . . . , n}, Qxi\X'-^ be a channel^ from 
X^~^ to X. A probability distribution Pxi - x„ on X" is a {6, {(5xi|x>-i})-source if 
for all i € {1, . . . ,n} andx^~^ = {xi, . . . , Xi-i) e X'^~^ we have 

PXi\X*-^=x*-^ € ■P''(Qxi|X*-i=x*-i) 

In the Appendix , we show that [5, {Qxi|x»-i })-sources can be used to simulate a- 
SV sources, for some appropriately chosen a. This means that {5, {Qjc^ix'-i })-sources 
are at least as useful as SV sources. The other direction is, however, not true. That 
is, (5, {(5xi|x*-i})-sources have a strictly less"malicious" behaviour than SV sources 
(which makes our impossibility proofs stronger). 

3 The quantum model 

In this section, we propose a model that describes the extraction of classical informa- 
tion from imperfect quantum physical devices. Clearly, our considerations also include 
purely classical systems as a special case. 

First, in Section 3 . 1 , we review the situation where the quantum device is perfect. In 
this case, the process of extracting randomness can most generally be seen as a sequence 
of perfect quantum operations and perfect measurements. Then, in Section 3.2, we con- 
sider the imperfect case where the quantum device is subject to (malicious) noise. As 
we shall see, in order to get strong impossibility results, it is sufficient to extend the 
standard notion of perfect measurements by the possibiUty of detectable failures in the 
measurement process. 

3.1 The perfect case 

Let us briefly review some basic facts about quantum mechanics. The state of a quan- 
tum system is specified by a projector P\^^ onto a vector If/') in a Hilbert space Ti. More 

generally, if a system is prepared by choosing a state from some family {\tj.>z)}zez ac- 
cording to a probability distribution Pz on Z, then the behaviour of the system is fully 

* A channel Qy\x from A* to ^ is a function ony x X such that, for any x £ X, Qy\x=x '■= 
Qy\x (-jX) is a probability distribution on y. 
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described by the density operator p := ^zez ^z{z)P\^^)- The most general opera- 
tion that can be applied on a quantum system is specified by a family £ = {Ex}xex 
of operators on H such that '^^^^ ^l^x = id-w (see, e.g., [NCOO]). When £ is ap- 
plied to a system which is in state p, then, with probability Px{x) := tr{ExpEl.), 
the classical output x G X is produced and the final state px of the system is 
Px '■= Px{x) ^xP^x- Hence, when ignoring the classical output x, the state £{p) 
of the system after applying the operation £ is the average of the states px, that is, 
£{P) ■■= ExPxix)px = j:xExpEl 

It is important to note that also the action of preparing a quantum system to be in a 
certain state po can be described by a quantum operation £. To see this, let po be given 
by po = '^zez Pz{z)P\-^^), for some family of vectors {\'4'z)}zez and a probability 
distribution Pz on Z. Additionally, let {\i)}ie{i....,d} be an orthonormal basis of H. It 
is easy to verify that the quantum operation £ = {Ez^i} zQZ,ie{i,..;d} defined by the 
operators 

Ez,i := ^yPx{z)\i^z){i\ 

maps any arbitrary state p to po, that is, £{p) = pQ. 

We are now ready to describe the process of randomness extraction from a quantum 
system. Consider a classical user with access to a quantum physical device. The most 
general thing he can do is to subsequently apply quantum operations, where each of 
these operations provides him with classical information which he might use to select 
the next operation. To describe this on a formal level, let W be a Hilbert space and let 
A* be a set. The strategy of the user in each step i is then defined by the quantum opera- 
tion £^ = {E^ }xex he applies depending on the classical outputs x^~^ € X^~^ 
obtained in the previous steps. Note that, according to the above discussion, this de- 
scription also includes the action of preparing (parts of) the quantum system in a certain 
state. We can thus assume without loss of generahty that the initial state of the system is 
given by some fixed projector P\-^g). The probability distribution . |xi-i=x«-i of the 
classical outcomes in the ith step conditioned on the previous outputs as well as 
the quantum state Pxi after the ith step given the outputs is then recursively defined 
by pxo := P|^(,> and 

Px,\x^-^=x^-^{x) :=tr(£:f"Vx-i^f"^) (D 
Px* = P(x*-i,x) := -5 TT-^x Px*-i-£^x ^ • (2) 

PXi\Xi-^=x*-^[X) 

3.2 Quantum measurements with malicious noise 

We will now extend the model of the previous section to include situations where the 
quantum operations are subject to noise. As we are interested in proving the impossi- 
bility of certain tasks in the presence of noise, our results are stronger if we assume that 
only parts of the quantum operation are noisy. In particular, we will restrict to systems 
where only the classical measurements are subject to perturbations.^ 

' To see that our model leads to strong impossibility results, consider for example an adversary 
who is allowed to transform the quantum state p of the device into a state p' which has at 
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Formally, we define an imperfect quantum device by its behaviour when applying 
any operation £. Let 6 >Q and let £ = {Ex^u}xgx,ugu be a quantum operation which 
produces two classical outcomes x and u, where x is the part of the output that is ob- 
served by the user. The operation £ acts on the imperfect device as it would in the 
perfect case, except that each output x is, with some probability A^; < 5, replaced by a 
symbol _L, indicating that something went wrong. Additionally, we assume that, when- 
ever such an error occurs, the state of the system remains unchanged.^ The resulting 
probability distribution Px of the outputs when applying 5 to an imperfect device in 
state p is thus given by 

Px{x) := 5^(1 - A,)tr(£;,,„p£t J . 

u 

In particular, the probabihty of the symbol _L is Px{-^) = 1 — J2xex Px{x) < 6. 

Let us now consider the interaction of a user with such an imperfect quantum device. 
In each step i, he either observes the correct outcome or he gets the output L, indicating 
that something went wrong. The user might want to use this information to choose the 
subsequent operations. His strategy is thus defined by a family {£^ }x^-^&xi-^ of 
quantum operations f ^' = }xex,ueu-^ The conditional probability distribu- 

tions /xi|x*-i=2;»-i of the observed outputs in the ?th step, for .t*~^ £ X^~^, and the 
states after the «th step are recursively defined, analogously to (1) and (2), by 

- - K'-^,x)Qxi\xi--^=x--^{x) ioxxeX 
Q^^,,.-L.i-i(x) T.ueu K]u Px^-'El]-"^ ifx€X 
Pxi-i if X =_L . 

for some Xxi-^,x S [0, S], where Qxi\X'-'^ is the channel from X^~^ to X given by 

<3x,|x»-i=x«-i(a;) := J2ueu^^i^x,u' Px^-^E^lu'^)- 

Let Px" = Pxi - x„ be the probability distribution of the observed outcomes after 
n steps. It follows directly from the above formulas that Px^ is a {S, {Qxi\x^-^})- 
source. On the other hand, if Px" is a {S, {Q Xi\x'-^)-somce, then there exist weights 

most trace distance S to the original state p. Let be a fixed von Neumann measurement and 
let P be the distribution resulting from applying Ai to p. It is easy to see that, for any given 
probability distribution P' which is (5-close to P, the adversary can set the device into a state 
p' such that a measurement M of p' gives raise to the distribution P' . Consequently, such an 
adversary is at least as powerful as an adversary who can only modify the distribution of the 
measurement outcomes, as proposed in our model. In particular, our impossibility results also 
apply to this case. 

* This means that, even if a measurement error occurs, the state of the quantum system is not 
destroyed. (Recall that our impossibility results are stronger the closer our model is to a model 
describing perfect systems.) 

' Note that, unlike in the perfect case, the measurements cannot be postponed to the end of 
the protocol. For example, if the user performs many measurements during the protocol, it is 
very unlikely that all the outcomes are wrong, i.e., he still gets some useful information with 
probability almost one. On the other hand, if the user replaces all his measurements by one 
single overall measurement (at the end of the protocol) it might fail with probability S. 



-Pxi|X'-i=x>-iW := ( 
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^x^-^,x G [0) ^\ such that the conditional probabilities are given by the above formu- 
las. This reduces our "quantum" problem to a totally classical problem for an imperfect 
source considerably more restrictive than an SV source (see Appendix). The corre- 
sponding impossibility result is given in the next section. 

4 Main technical lemma 

Our main technical result can be seen as an extension of a result proved for SV sources 
(cf. Lemma 3.5 of [DOPS04]). Roughly speaking, Lemma 1 below states that a task 
g which requires perfect random bits can generally not be replaced by another task / 
which only uses imperfect bits. Note that this impossibility is particularly interesting 
for cryptography where many tasks do in fact use randomness. 

More precisely, let 5 be an arbitrary strategy which uses imperfect randomness X" 
and, in addition, some perfect randomness Y (whose probability distribution might even 
depend on the values of X"). Let / be another strategy which only uses imperfect 
randomness X". Furthermore, assume that, for any {5, {(5xi|x*-i})-source Pxi- -x„, 
the output distributions of the strategies g and / are (almost) identical. Then the strategy 
g is (roughly) the same as /, that is, it (virtually) does not use the randomness Y. 

Lemma 1. Let f be a function from X"' to Z, g be a function from x y to Z 
and m = [log2(|2|)]. For any i G {1, . . . , n}, let Qxtlx^-^ be a channel from X^~^ 
to X, let Qy\X" be a channel from X"' to y, and let 5 > Q. Let F be the set of all 
probability distributions Px^y on X" xy such that Px" isa {d, {Qxi\x'-^})-^ource^^ 
andPyixn = Qy\X"- If for all Px^y & P, 

l|-P/(X") - -Ps(X",F)||l < £ , 

then there exists Px„y G r such that 

Pr [f{x^)j^g{x^,y)]<5em6-\ 

Proof. Assume first that the functions / and g are binary, i.e., Z = {0, 1}. The idea is to 
define two probability distributions Pv^y , Pw"Y G P such that the output distributions 
of the function /, /(V"") and f{W"), are "maximally different". Then, by assumption, 
the output distributions of g{V'"', Y) and Y) must be different as well. This will 

then be used to conclude that the outputs of / and g are actually equal for most inputs. 

In order to define the distributions Py^Y and Pw"Y, we first consider some "in- 
termediate distribution" Px^y- defined as the unique probability distribution on 
X^ xy such that Py\x'^ = QY\xn and, for any j e {1, . . . , n} and a;'~^ e X^~^, 

i)Ox.|jf-i=x-i(a;) ifxG<Y 
if a; =_L . 



Similarly to the argument in [DOPS04], the proof can easily be extended to a statement which 
holds for an even stronger type of sources, where the conditional probability distributions of 
each Xi given all other source outputs, and not only the previous ones X^^^ ,is contained in a 
certain set . 
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Note that Px^^^.-,^^,-, e P*(Qx.|x-i=.-i). i-e-, Pjt^ is a (<5, {Ox.|x-i})- 
source, and thus Px^y ^ P- 

The distribution Py™ is now defined from P^„ by raising the probabiUties of all val- 
ues'^ a;" e /~^(0) that / maps to and lowering the probabilities of all x" € 
Similarly, Pw^ is defined by changing the probabilities of in the other direction. 
For the formal definition, we assume without loss of generality that Pf(xn^{0) < 5 and 
set a := Pj(jf„)(0)/Fj(j^„-)(1), i.e., a < 1. Pv" and Pw" are then given by 

Pvrn(a;") 
where r := |. Because 

x^eA-" x^ez-^o) x"e/-i(i) 

= Pfixnmil +t)+ P/(xn) (1)(1 - ar) = 1 , 

Pyn and, similarly, Pw" , is indeed a probability distribution. 

We claim that Py^ and P^yn are {S, {Qxi|Js:»-i})-sources. To see this, note first 
that, for any i e {1, . . . n} and a;* e X\ (1 - aT)Px_i {x') < Py {x') and Pyi {x') < 
(1 + T)Pxi {x'). Hence, for any a; G and x'-'^ G Af*"!, 



P^„(a;")(l + r) 
P;^„(x")(l-aT) 

'Px^{x"){1-t) 



if a;" G /-^(O) 
if a;" G /"Hi) 

if .x" G /-^(O) 



P^„(a;")(l + aT) if x" G /-^(l) , 



, Pyy.-i(x,x'-l) ^ {l-aT)Px^x,.^ix,X^-^) 

Py,|y.-.=..-.(x) - ^— ^ > -^—-^—-^—^ 

= -Y^^x^\x'--^=x'-^^x) = - 2)Qx,\X'~^=x-^{x) . 

Because a < 1, we have Py.^yi-i^^i-i (x) > (1 — S)Qxt\x*-^=x*-^ {x)- Similarly, 

1 + T 1 + T 

Py|y.-i^^,-i(a;) < Y:r^^x,\X'-^=x'-^ix) = ^ _ (1 - f)'3x.|x-i=x-i(a;) 

which implies Py.|yi-i^3.i-i (x) < Qxi\xi-^=xi-^{x)- Combining these in- 
equalities, we conclude Py.^yi-i^^i-i G V^{Qxi\xi-^=x'-^)' i-S-, Py is a 
(^) {Qxi\X'-^})-somce. A similar computation shows that also the distribution P^yn 
is a (S, })-source. Consequently, the distributions Py^y and Pw^y defined 

by Pyiy = (3f|x" and Pyiw^ = <3y|x"> respectively, are contained in the set P. 

Next, we will analyse the behaviour of the function g for inputs chosen accord- 
ing to Pyny and Piyny, respectively, and compare it to /. For this, let q^'^ be the 
probability that, given some fixed x" G A^", the output of g is zero, i.e., q^^ '■= 



" For z G {0, 1}, / ^{z) := {x G A"" : f{x) = z} denotes the preimage of z under the 
mapping /. 
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Pi'j/^Qi'ix"=a=-[ff(a;",2/) = 0]. Because = Py\v- = Py\w-^ = QriX", we 

get 

The probability that the output of / is zero for the distributions Pyn and Pw can then, 
obviously, be written as 

x"e/-i(o) 

Similarly, for g, we have 

Pgivr^,Y){0)= E Pxn{xn{^ + r)q,n+ E ^xn(a;")(l-ar)g,n 

x"e/-i(o) x"e/-i(i) 

P9(^y^r)(0) = E ^^x4a=")(l-r)gx"+ E Px4x"){^ + aT)q,n . 

By assumption of the lermna, because, Py^y and Pw^v are contained in the set F, the 
output distributions of / and g must be close, that is, |P/(yn)(0) — Pp(yn ■y)(0)| < | 

and |P/(w-)(0) - P<,(H'",y)(0)| < f, and hence (P/(y.)(0) - Pgiv-,Y)m - 
(-P/(W")(0) — -Pg(W",v')(0)) < e. Replacing these probabilities by the above expres- 
sions leads to 

E Pxn{x^)2T{l - q^n) + E Pxnix'')2aTqxn < e . (3) 
x"e/-MO) x^ej-ni) 

Note that this imposes some restrictions on the possible values of q^^ . Roughly speak- 
ing, if / maps a certain input x" to 0, then the probability 1 — q^^ that g maps x" to 1 
must be small. In fact, as we shall see, (3) implies a bound on the probability that the 
outputs of / and g are different. 

With the definition p^^w Pf{x")g{x'' for (^i ^) ^ {0' 1}^ ^^'^ using 

again the assumption of the lemma, 

|po,i -Pi,o\ = |(po,o +Po,i) - (po,o +Pi,o)\ = l^'/(x")(0) - ^'g(X",r)(0)l < 2 ' 
hence, 

Pr [/(x")7^5(x",y)]<po,i+Po,i + |pi,o-Po,i|<2po,i + ^. (4) 

Using (3) and the fact that the second sum is nonnegative, we get an upper bound for 
Po,i. that is, 

P0,1= E Pxn{xnPfiX-n)lXn=xniO)Pg^Xn,Y)\Xn=xn{^) 

= E Px4^")(i-«.")<^ = |- 

x"e/-i(o) 
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Combining this with (4), we conclude Pr(a;n^y)^p_-„^ [/(a^") 7^ 5(a;", y)] < ^ + § < 
^, which proves the lemma for the binary case where Z = {0, 1}. 

To deduce the statement for arbitrary sets Z, consider an (injective) encoding func- 
tion c which maps each element z G Zloan m-tuple (ci (z), . . . , Cm{z)). Since the Li- 
norm || • ||i can only decrease when applying a function, the assumption of the lemma 
implies that, for all probability distributions Px^y € r, ||Pyj.(x") — Pg^ix^.Y) 111 < £> 
where fk := 0/ and gk Cfe og, for any fc G {1, . . . , m}. The assertion then follows 
from the binary version of the lemma and the union bound. □ 

As was shown in [DOPS04], Lemma 1 implies not only impossibiUty of extracting 

nearly perfect randomness, but also impossibility of doing almost any classical task 
involving privacy (such as encryption, commitment, etc.). For illustrative purposes, we 
give such an argument for extraction, referring to [DOPS04] regarding the other tasks. 

Corollary 1. Let f be a function from X" to {0, 1} and Pu be the uniform distribution 

on {0, 1}. For any i G {1, . . . , n}, let Qxi\X'-~^ be a channel from X^~^ to X, and let 
J > 0. Then there exists a {5, {Q Xi\xi-^})-source Px" such that 

\\PS(Xr^)-Puh>^, 

Proof Assumeby contradiction that, for any {5,{Qxi\x^-^})-^omce, Px^, — 
Pu\\i < jq - Let g be the function on X"^ x {0, 1} defined by g{x",u) := u. Then, 
for any probability distribution Px"U = Px^ x Pu, where Px^ is a ((5, {Qxi\X'-^})- 
source, we have ||P^(X") — Pg{X",u)\\i < Jq- Lemma 1 thus implies that there exists a 
-source P^-n with Pr(2;",u)^Px„ xPu 

[/(x") 7^ g(a;",M)] < i, that is, 

P^{x",u)<-Pxn xPu [/(^") 7^ < 5- This is ^ contradiction because Pu is the uniform 
distribution on { , 1 } . □ 



Appendix: Relation to Santha-Vazirani sources 

Let Px" be a {6, {Qxi|x<-i})-source, for some ^ > and channels Qxi\X'-^- It is 
easy to verify that, ii S < then the entropy of the ith output Xi conditioned on 
any value of the previous outputs Xi, . . . , is lower bounded by the entropy of 

H{X,\X^-^ = = F(Px,|x.-i=.-0 > i/(gx.|x-i=.-0 , (5) 

for any a;*~^ G A"*^^. This holds with respect to any "reasonable" entropy measure H, 
as, for instance, the Shannon entropy, the min-entropy, or, more generally, the Renyi 
entropy of order a, for any a G [0, 00]. 

It is thus not surprising that {6, {Qxiix^-^ })-sources are at least as useful as Santha- 
Vazirani sources. More precisely. Lemma 2 below states that, for any a, there exist 
channels Qxi\x^-^ ™d a deterministic'^ strategy 7 which allows to simulate an a-SV 
source from any {6, {Qjf })-source, for 6 = 1 — 2a. Hence, any impossibility 
result for {S, {Qxi\x*-^ })-sources also holds for a-SV sources. 

Note that any probabilistic strategy would require additional (perfect) randomness. 
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Lemma 2. For any 5 > 0, there exist channels Qxi\x^-^> for i G {1, . . . , n}, and a 
function 7 such that the following holds: Let Px^ be an arbitrary [5. {Qxi\x^-^})' 
source. Then the probability distribution Py defined by Yi := j{Xi), for i G 
{1, . . .n}, is an a-SV source, for a = 

Proof. Let Ps be the binary probability distribution with ^^(O) = ij^. For any 
i G {1, . . • ,n}, let the channel Qxiix*-^ be defined by (5xi|x*-i=x»-i •= Ps- Ad- 
ditionally, let 7 be the function on {0, 1, _L} defined by 



7(a;) := 



X ifxG{0, 1} 
1 ifa;=_L. 



It is easy to verify that, for any i G {1, . . . , n} and ^ G {0, 1, ±}* ^, 

P^^x,)\x^-^=x^-^{0) < PsiO) = ^ = 1 - a 

P^(x.)|x^-i=.^-i(0) > Psmi -S) = ^(1 -S)>a, 

i.e., P^(Xi)|x'-i=a;'-i (0) G [a, 1— a].By convexity,itfollowsthatPy.|Yi-i=yi-i(0) G 
[a, 1 — a], for any G {0, which concludes the proof. □ 

Note that the converse of Lenuna 2 is not true, i.e., Santha-Vazirani sources 
are generally weaker than (5, {(3x«|x*-i})-sources. To see this, let, e.g., for any 
i G {1, • • • ,n}, Qxi\X'-^ be the channel defined by the uniform distribution over 
X := {0,1}, i.e., Qjf,|x-i=a;-i (0) = i, for all x^-^ G A^^-^. It follows from (5) that 
the entropy of any {6, {Qxi|x*-i})-source Pxi - x„ is at least n, for any small enough 
6 > 0. On the other hand, the entropy of an a-SV source Pyj...y^, for any a 7^ ^, is 
generally smaller than n. As the entropy of a random variable can only decrease when 
applying a (deterministic) function, the values (Yi , . . . , y„) cannot be used to simulate 

{Xi, . . . ,Xn). 
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